Just a couple of questions:

who is the owner of the HELLO file?

who is the owner of the "touch" process?

Is the owner the unprivileged user or the "emacs" system?

Thanks.

On Wed, 26 May 2021 at 17:53, Glenn Morris <rgm@gnu.org> wrote:

Package: emacs,org-mode
Version: 28.0.50
Severity: important
Tags: security

emacs -Q hello.org, where hello.org contains:

#+macro: hello (eval (shell-command-to-string "touch /tmp/HELLO"))
Hello. {{{hello}}}

Then:
M-x org-export-dispatch
t A

-> now /tmp/HELLO exist, with no prompting.

This seems contrary to normal Emacs practice for risky local variables,
and to the section "Code Evaluation and Security Issues" in the Org manual
(which does not mention macros).